System for controlling the distribution and use of rendered digital works through watermaking

ABSTRACT

A trusted rendering system for use in a system for controlling the distribution and use of digital works. A trusted rendering system facilitates the protection of rendered digital works which have been rendered on a system which controls the distribution and use of digital works through the use of dynamically generated watermark information that is embedded in the rendered output. The watermark data typically provides information relating to the owner of the digital work, the rights associated with the rendered copy of the digital work and when and where the digital work was rendered. This information will typically aid in deterring or preventing unauthorized copying of the rendered work to be made. The system for controlling distribution and use of digital works provides for attaching persistent usage rights to a digital work. Digital works are transferred between repositories which are used to request and grant access to digital works. Such repositories are also coupled to credit servers which provide for payment of any fees incurred as a result of accessing a digital work.

This Application claims benefit of Provisional Application Ser. No.60/039,275 filed Feb. 28, 1997.

FIELD OF THE INVENTION

The present invention relates to the field of distribution and usagerights enforcement for digitally encoded works, and in particular toidentification of non-authorized copies of digitally encoded works thathave been rendered.

BACKGROUND OF THE INVENTION

U.S. Pat. No. 5,629,980 entitled “System For Controlling theDistribution And Use Of Digital Works”, issued May 13, 1997, describes asystem which provides for the secure and accounted for distribution ofdigitally encoded works (hereinafter digital works). However, once adigital work leaves the digital domain, e.g. it is printed out, playedor otherwise rendered, it is no longer secure and can be subjected tounauthorized copying. This is a problem for all rendered digital works.

Two known techniques for protecting digital works by impartinginformation onto the digital work itself are “watermarking” and“fingerprinting”. The term watermark historically refers to atranslucent design impressed on paper during manufacture which isvisible when the paper is held to the light. Because watermarks areimpressed using combinations of water, heat, and pressure, they are noteasy to add or alter outside of the paper factory. Watermarks are usedin making letterheads and are intended to indicate source and that adocument is authentic and original and not a reproduction.

One technique for creating such a watermark when a digital work isprinted is described in U.S. Pat. No. 5,530,759 entitled “Color CorrectDigital Watermarking of Images” issued Jun. 25, 1996. In this approachthe watermark image is combined with the digital image to create thewatermarked image. The watermark image acts as a template to change thechromacity of corresponding pixels in the digital image thus creatingthe watermark. In any event, these notices server as social reminders topeople to not make photocopies.

The term watermark is now used to cover a wide range of technologies formarking rendered works, including text, digital pictures, and digitalaudio with information that identifies the work or the publisher. Somewatermarks are noticeable to people and some are hidden. In some kindsof watermarks, the embedded information is human readable, but in otherkinds the information can only be read by computers.

The term fingerprint is sometimes used in contrast with watermarks torefer to marks that carry information about the end user or renderingevent rather than the document or publisher. These marks are called“fingerprints” because they can be used to trace the source of a copyback to a person or computer that rendered the original.

The same technologies and kinds of marks can be used to carry bothwatermark and fingerprint information. In practice, it is not onlypossible but often desirable and convenient to combine both kinds ofinformation—for watermarks and fingerprints—in a single mark.

With respect to paper based documents, the simplest approach toproviding a mark is a graphical symbol or printed notice that appears oneach page. This is analogous to a copyright notice. Such notices can beprovided by the publisher in the document source or added later by aprinter. These notices serve as social reminders to people to not makephotocopies.

Other approaches hide information in the grey codes (or intensity) on apage. Although in principle such approaches can embed data in greycodefonts, their main application so far has been for embedding data inphotographs. One set of approaches is described by Cox et al. in apublication entitled “Secure spread spectrum watermarking forMultimedia”, NEC Research Institute Technical Report 95-10, NEC ResearchInstitute, Princeton, N.J. 08540. To decode data encoded in theapproached described by Cox et al. requires comparing the encodedpicture with the original to find the differences. The advantage ofthese approaches is that they can embed the data in such a way that itis very difficult to remove, not only by mechanical means but also bycomputational means.

As described above, watermarks need not be perceptible to the viewer.For example, one technique is to embed data in the white space of adocument. An example of this kind of approach was described by Brassil,et al. In a publication entitled “Electronic marking and identificationtechniques to discourage document copying”, IEEE Journal on SelectedAreas in Communications, Vol. 13, No. 8 pages 1495-1504, October 1995.The idea is to slightly vary the spacing of letters and lines in adigital work. The advantages of this approach are that it is not visibleand is hard to remove. A disadvantage is that it has a very limitedcapacity for carrying data—only a few bytes per page.

Another watermarking scheme for use in digital works representing imagesis available from the Digimarc Corporation. The Digimarc watermark isinvisible and is used to convey ownership information relating to theimage. From the Digimarc World Web Page describing their technology (URLhttp://www.digimarc.com/wt_page.html): “A Digimarc watermark imitatesnaturally occurring image variations and is placed throughout the imagesuch that it cannot be perceived. To further hide the watermark, theDigimarc watermarking process is perceptually adaptive—meaning itautomatically varies the intensity of the watermark in order to remaininvisible in both flat and detailed areas of an image.” Reading of theDigimarc watermark is through a Digimarc reader which can extract thewatermark from the image.

Other related prior art includes Daniele, U.S. Pat. No. 5,444,779, on“Electronic Copyright Royalty Accounting System for Using Glyphs”, whichdiscloses a system for utilizing a printable, yet unobtrusive glyph orsimilar two-dimensionally encoded mark to identify copyrighteddocuments. Upon attempting to reproduce such a document, a glyph isdetected, decoded and used to accurately collect and/or record acopyright royalty for the reproduction of the document or to preventsuch reproduction. Furthermore, the glyph may also include additionalinformation so as to enable an electronic copyright royalty accountingsystem, capable of interpreting the encoded information to track and/oraccount for copyright royalties which accrue during reproduction of allor portions of the original document.

Merkle, etl al., U.S. Pat. No. 5,157,726 entitled “Document CopyAuthentication” describes a system for document authentication whichutilizes an ID card coupled to a copying machine capable of reading theID card. The copying machine imparts digitally encoded identificationinformation, e.g. a digital signature, onto a copied document based oninformation contained in the ID card. The copied document can then beauthenticated by scanning the document to extract and decode the digitalsignature.

SUMMARY OF THE INVENTION

A trusted rendering system for use in a system for controlling thedistribution and use of digital works is disclosed. The currentlypreferred embodiment of the present invention is implemented as atrusted printer. However, the description of the invention hereinapplies to any rendering device. A trusted printer facilitates theprotection of printed documents which have been printed from a systemwhich controls the distribution and use of digital works. The system forcontrolling distribution and use of digital works provides for attachingpersistent usage rights to a digital work. Digital works are transferredin encrypted form between repositories. The repositories are used torequest and grant access to digital works. Such repositories are alsocoupled to credit servers which provide for payment of any fees incurredas a result of accessing or using a digital work.

The present invention extends the existing capabilities of the systemfor controlling distribution and use of digital works to provide ameasure of protection when a document is printed. The present inventionadds to the system the ability to include watermark information to adocument when it is rendered (i.e. a Print right associated with thedocument is exercised). In the currently preferred embodiment of atrusted printer, the watermark is visible. However, other “invisible”watermarking technologies may also be used. The watermark data typicallyprovides information relating to the owner of a document, the rightsassociated with that copy of the document and information relating tothe rendering event (e.g. when and where the document was printed). Thisinformation will typically aid in deterring or preventing unauthorizedcopying of the rendered work. It is worth noting that the presentinvention further provides for multiple types of watermarks to beprovided on the same digital work.

Specification of the watermark information is preferably added to adocument at the time of assigning render or play rights to the digitalwork. With respect to printed digital works, at the time of page layoutspecial watermark characters are positioned on the document. When thedocument is printed, a dynamically generated watermark font is createdwhich contains the watermark information that was specified in the printright. The font of the watermark characters is changed to thedynamically generated watermark font. The dynamically generatedwatermark font is created using an embedded data technology such as theglyph technology developed by the Xerox Corporation and described inU.S. Pat. No. 5,486,686 entitled “Hardcopy Lossless Data Storage andCommunications For Electronic Document Processing Systems”, which isassigned to the same assignee as the present application.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram illustrating the basic interaction betweenrepository types in a system for controlling the distribution and use ofdigital works in the currently preferred embodiment of the presentinvention.

FIG. 2 is an illustration of a repository coupled to a credit server forreporting usage fees as may be used in a system for controlling thedistribution and use of digital works in the currently preferredembodiment of the present invention.

FIG. 3 is an illustration of a printer as a rendering system as may beutilized in a system for controlling the distribution and use of digitalworks in the currently preferred embodiment of the present invention.

FIG. 4 is a block diagram illustrating the functional elements of atrusted printer repository in the currently preferred embodiment of thepresent invention.

FIG. 5 is a flowchart of the basic steps for digital work creation forprinting on a trusted printer as may be performed in the currentlypreferred embodiment of the present invention.

FIG. 6 is an illustration of a usage rights specification for a digitalwork that may be printed on a users trusted printer in the currentlypreferred embodiment of the present invention.

FIG. 7 is an illustration of a usage rights specification for a digitalwork that may only be printed on a shared trusted printer residing on anetwork in the currently preferred embodiment of the present invention.

FIG. 8 is an illustration of a printed page having a glyph encodedwatermark.

FIG. 9 is an illustration of a set of sample embedded data boxes havingdifferent storage capacities as may be used as watermark characters of awatermark font set in the currently preferred embodiment of the presentinvention.

FIG. 10 is an illustration of a print right having the watermarkinformation specified as may be used set in the currently preferredembodiment of the present invention.

FIG. 11 is a flowchart summarizing the basic steps for a creator tocause watermarks to be placed in their documents as may be performed inthe currently preferred embodiment of the present invention.

FIG. 12 is a flowchart of the steps required for printing a document asmay be performed in the currently preferred embodiment of the presentinvention.

FIG. 13 is a flowchart outlining the basic steps for extracting theembedded data as may be performed in the currently preferred embodimentof the present invention.

FIG. 14 is an illustration of an implementation of the present inventionas a trust box coupled to a computer based system.

FIG. 15 is a flowchart illustrating the steps involved in printing adigital work using the trust box implementation of FIG. 14.

FIG. 16 is an illustration of an implementation of the present inventionis as a printer server.

FIG. 17 is a flowchart illustrating the steps involved in printing adigital work using the printer server implementation of FIG. 16.

DETAILED DESCRIPTION OF THE INVENTION

A trusted rendering device for minimizing the risk of unauthorizedcopying of rendered digital works is described. The risk of unauthorizedcopying of digital documents comes from three main sources: interceptionof digital copies when they are transmitted (e.g., by wiretapping orpacket snooping); unauthorized use and rendering of digital copiesremotely stored, and unauthorized copying of a rendered digital work.The design of trusted rendering devices described herein addresses allthree risks.

Trusted rendering combines four elements: a usage rights language,encrypted on-line distribution, automatic billing for copies, anddigital watermarks for marking copies that are rendered.

Usage Rights language. Content providers indicate the terms, conditions,and fees for printing documents in a machine-readable property rightslanguage.

Encrypted Distribution. Digital works are distributed from trustedsystems to trusted rendering devices via computer networks. To reducethe risk of unauthorized interception of a digital work duringtransmission, it is encrypted. Communication with the rendering systemis by way of a challenge-response protocol that verifies theauthorization and security of the rendering device.

Automatic Billing. To ensure a reliable income stream to contentproviders, billing of royalties is on-line and automatic.

Watermarks. Finally, to reduce the risk of copying of rendered works,the rendered work is watermarked to record data about the digital workand the rendering event. Furthermore, watermarks are designed to makecopies distinguishable from originals. As will be described below,watermark information is specified within a rendering or play right inthe usage rights language.

The currently preferred embodiment of the present invention isimplemented as a trusted printer. The foregoing description will bedirected primarily to printers, but the concepts and techniquesdescribed therein apply equally to other types of rendering systems suchas audio players, video players, displays or multi-media players.

OVERVIEW OF A SYSTEM FOR CONTROLLING THE DISTRIBUTION AND USE OF DIGITALWORKS

The currently preferred embodiment of the present invention operates ina system for controlling the distribution and use of digital works is asdescribed in issued U.S. Pat. No. 5,629,980, entitled “System forControlling the Distribution and Use of Digital Works” and which isherein incorporated by reference. A digital work is any written, audio,graphical or video based work including computer programs that have beentranslated to or created in a digital form, and which can be recreatedusing suitable rendering means such as software programs. The systemallows the owner of a digital work to attach usage rights to the work.The usage rights for the work define how it may be used and distributed.Digital works and their usage rights are stored in a secure repository.Digital works may only be accessed by other secure repositories. Arepository is deemed secure if it possesses a valid identification(digital) certificate issued by a Master repository and can prove itsidentity in a challenge response protocol.

The usage rights language for controlling a digital work is defined by aflexible and extensible usage rights grammar. The usage rights languageof the currently preferred embodiment is provided in Appendix A.Conceptually, a right in the usage rights grammar is a label attached toa predetermined behavior and defines conditions to exercising the right.For example, a COPY right denotes that a copy of the digital work may bemade. A condition to exercising the right is the requester must passcertain security criteria. Conditions may also be attached to limit theright itself. For example, a LOAN right may be defined so as to limitthe duration of which a work may be LOANed. Conditions may also includerequirements that fees be paid.

A repository is comprised of a storage means for storing a digital workand its attached usage rights, an external interface for receiving andtransmitting data, a processor and a clock. A repository generally hastwo primary operating modes, a server mode and a requester mode. Whenoperating in a server mode, the repository is responding to requests toaccess digital works. When operating in requester mode, the repositoryis requesting access to a digital work.

Generally, a repository will process each request to access a digitalwork by examining the work's usage rights. For example, in a request tomake a copy of a digital work, the digital work is examined to see ifsuch “copying” rights have been granted, then conditions to exercise theright are checked (e.g. a right to make 2 copies). If conditionsassociated with the right are satisfied, the copy can be made. Beforetransporting the digital work, any specified changes to the set of usagerights in the copy are attached to the copy of the digital work.

Repositories communicate utilizing a set of repository transactions. Therepository transactions embody a set of protocols for establishingsecure session connections between repositories, and for processingaccess requests to the digital works. Note that digital works andvarious communications are encrypted whenever they are transferredbetween repositories.

Digital works are rendered on rendering systems. A rendering system iscomprised of at least a rendering repository and a rendering device(e.g. a printer, display or audio system). Rendering systems areinternally secure. Access to digital works not contained within therendering repository is accomplished via repository transactions with anexternal repository containing the desired digital work. As will bedescribed in greater detail below, the currently preferred embodiment ofthe present invention is implemented as a rendering system for printingdigital works.

FIG. 1 illustrates the basic interactions between repository types inthe present invention. As will become apparent from FIG. 1, the variousrepository types will serve different functions. It is fundamental thatrepositories will share a core set of functionality which will enablesecure and trusted communications. Referring to FIG. 1, a repository 101represents the general instance of a repository. The repository 101 hastwo modes of operations; a server mode and a requester mode. When in theserver mode, the repository will be receiving and processing accessrequests to digital works. When in the requester mode, the repositorywill be initiating requests to access digital works. Repository 101 maycommunicate with a plurality of other repositories, namely authorizationrepository 102, rendering repository 103 and master repository 104.Communication between repositories occurs utilizing a repositorytransaction protocol 105.

Communication with an authorization repository 102 may occur when adigital work being accessed has a condition requiring an authorization.Conceptually, an authorization is a digital certificate such thatpossession of the certificate is required to gain access to the digitalwork. An authorization is itself a digital work that can be movedbetween repositories and subjected to fees and usage rights conditions.An authorization may be required by both repositories involved in anaccess to a digital work.

Communication with a rendering repository 103 occurs in connection withthe rendering of a digital work. As will be described in greater detailbelow, a rendering repository is coupled with a rendering device (e.g. aprinter device) to comprise a rendering system.

Communication with a master repository 105 occurs in connection withobtaining an identification certificate. Identification certificates arethe means by which a repository is identified as “trustworthy”. The useof identification certificates is described below with respect to theregistration transaction.

FIG. 2 illustrates the repository 101 coupled to a credit server 201.The credit server 201 is a device which accumulates billing informationfor the repository 101. The credit server 201 communicates withrepository 101 via billing transaction 202 to record billingtransactions. Billing transactions are reported to a billingclearinghouse 203 by the credit server 201 on a periodic basis. Thecredit server 201 communicates to the billing clearinghouse 203 viaclearinghouse transaction 204. The clearinghouse transactions 204 enablea secure and encrypted transmission of information to the billingclearinghouse 203.

RENDERING SYSTEMS

A rendering system is generally defined as a system comprising arepository and a rendering device which can render a digital work intoits desired form. Examples of a rendering system may be a computersystem, a digital audio system, or a printer. In the currently preferredembodiment, the rendering system is a printer. In any event, a renderingsystem has the security features of a repository. The coupling of arendering repository with the rendering device may occur in a mannersuitable for the type of rendering device.

FIG. 3 illustrates a printer as an example of a rendering system.Referring to FIG. 3, a printer system 301 has contained therein aprinter repository 302 and a print device 303. It should be noted thatthe dashed line defining printer system 301 defines a secure systemboundary. Communications within the boundary is assumed to be secure andin the clear (i.e. not encrypted). Depending on the security level, theboundary also represents a barrier intended to provide physicalintegrity. The printer repository 302 is an instantiation of therendering repository 105 of FIG. 1. The printer repository 302 will insome instances contain an ephemeral copy of a digital work which remainsuntil it is printed out by the print engine 303. In other instances, theprinter repository 302 may contain digital works such as fonts, whichwill remain and be billed based on use. This design assures that allcommunication lines between printers and printing devices are encrypted,unless they are within a physically secure boundary. This design featureeliminates a potential “fault” point through which the digital workcould be improperly obtained. The printer device 303 represents theprinter components used to create the printed output.

Also illustrated in FIG. 3 is the repository 304. The repository 304 iscoupled to a printer repository 302. The repository 304 represents anexternal repository which contains digital works.

FIG. 4 is a block diagram illustrating the functional elements of atrusted printer repository. Note that these functional elements alsowould be present in any rendering repository. Referring to FIG. 4, thefunctional embodiment is comprised of an operating system 410, corerepository services 411, and print repository functions 412. Theoperating system 410 is specific to the repository and would typicallydepend on the type of processor being used to implement the repository.The operating system 401 would also provide the basic services forcontrolling and interfacing between the basic components of therepository.

The core repository services 411 comprise a set of functions required byeach and every repository. For a trusted printer repository the corerepository services will include engaging in a challenge responseprotocol to receive digital works and decryption of received digitaldata.

The print repository functions 412 comprise functionality for renderinga work for printing as well as gathering data for and creating a digitalwatermark. The functionality unique to a print repository will becomeapparent in the description below (particularly with respect to theflowchart of FIG. 12).

BASIC STEPS FOR DIGITAL WORK CREATION FOR PRINTING ON A TRUSTED PRINTER

FIG. 5 is a flowchart illustrating the basic steps for creating adigital work that may be printed on a trusted printer so that theresulting printed document is also secure. Note that a number of wellknown implementation steps, e.g. encryption of digital works, have beenomitted in order to not detract from the basic steps. First, a digitalwork is written, assigned usage rights including a print right whichspecifies watermark information and is deposited in repository 1, step501. As will be described in more detail below, the assignment of usagerights is accomplished through the use of a rights editor. Deposit ofthe digital work into repository 1 is an indication that it is beingplaced into a controlled system. Next, repository 1 receives a requestfrom repository 2 for access to the digital work, step 502 andrepository 1 transfers a copy of the digital work to repository 2, step503. For the sake of this example, it is assumed that a “trusted”session between repository 1 and repository 2 has been established. Thechallenge response protocol used in this interaction is described in theaforementioned U.S. Pat. No. 5,629,980 and thus no further discussion onthe challenge response protocol is deemed necessary.

Repository 2 then receives a user request to print the digital work,step 504. Repository 2 then establishes a trusted session with a printerrepository of is the printing system on which the digital work will beprinted, step 505. The printer repository receives the encrypted digitalwork and determines if it has a print right, step 506. If the digitalwork has the print right, the printer repository decrypts the digitalwork and generates the watermark that will be printed on the digitalwork, step 507. The printer repository then transmits the decrypteddigital work with the watermark to a printer device for printing, step508. For example, the decrypted digital work may be a Postscripts fileof the digital work.

CONTROLLING PRINTING WITH THE USAGE RIGHTS GRAMMAR

A key concept in governing sale, distribution, and use of digital worksis that publishers can assign “rights” to works that specify the termsand conditions of use. These rights are expressed in a rights languageas described in the aforementioned U.S. Pat. No. 5,629,980. Thecurrently preferred grammar is provided herein in Appendix A. It isadvantageous to specify watermark information within a rendering or playright within the grammar for a number of reasons. First, specificationin this manner is technology independent. So different watermarkingtechnologies may be used or changed without altering the digitaldocument. Second, multiple watermarking technologies may be applied tothe same digital work, e.g. a visible watermarking technology and aninvisible watermarking technology. So if the visible watermark isremoved, the invisible one may remain. Third, the watermark informationto be placed on the digital work can be associated with the renderingevent, rather than the distribution event. Fourth, the watermarkinformation can be extended to include the entire distribution chain ofthe digital work. Fifth, security and watermarking capabilities of arendering system may be specified as a condition of rendering. This willfurther insure the trusted rendering of the digital work.

As a result of these advantages, this type of specifying watermarkinformation fully supports the Superdistribution of digital works.Superdistribution is distribution concept where every possessor of adigital work may also be a distributor of the digital work, and whereinevery subsequent distribution is accounted for.

When a publisher assigns rights to a digital work, the usage rightsenables them to distinguish between viewing (or playing) rights andprint rights. Play rights are used to make ephemeral, temporary copiesof a work such as an image of text on a display or the sound of musicfrom a loudspeaker. Print rights are used to make durable copies, suchas pages from a laser printer or audio recordings on a magnetic media.

Example—TRUSTED PRINTING FROM A PERSONAL COMPUTER

FIG. 6 is an example of the usage rights for a digital work whichenables trusted printing from a personal computer. Referring to FIG. 6,various tags are used in for the digital work. The tags “Description”601, “Work-ID” 602 and “Owner” 603 provide identification informationfor the digital work.

Usage rights are specified individually and as part of a group ofrights. The Rights-Group 604 has been given a name of “Regular”. Thebundle label provides for a fee payee designation 605 and a minimumsecurity level 606 that are applied to all rights in the group. The feepayee designation 605 is used to indicate who will get paid upon theinvocation of a right. The minimum security level 606 is used toindicate a minimum security level for a repository that wishes to accessthe associated digital work.

The rights in the group are then specified individually. The usagerights specify no fee for transferring 608, deleting 609 or playing 610,but does have a five dollar fee for making a digital copy 607. It alsohas two Print rights 611 and 612, both requiring a trusted printer(specified by 613) The first Print right 611 can be exercised if theuser has a particular prepaid ticket (specified by 614). The secondprint right has a flat fee of ten dollars (specified by 615). Theexample assumes that the digital work can be transmitted to a user'scomputer by exercising the Copy right, and that the user can play orprint the work at his or her convenience using the Play and Printrights. Fees are logged from the users workstation whenever a right isexercised.

Also illustrated in FIG. 6 are watermark specifications 616 and 617. Theparticular detail for the watermark specifications 616 and 617 isdescribed below with reference to FIG. 10. Example - Trusted Printing toan Internet Printer FIG. 7 illustrates a different set of rights for thesame digital book. In this version, the publisher does not want digitaldelivery to be made to a consumer workstation. A practical considerationsupporting this choice may be that the publisher wants to minimize therisk of unauthorized digital copying and is requires a higher level ofsecurity than is provided by trusted systems on available workstations.Instead, the publisher wants the book to be sent directly from anon-line bookstore to a trusted printer. Printing must be prepaid viadigital tickets (see fee specification 701). To enable digitaldistribution to authorized distributors but not directly to consumers,the publisher requires that both parties in a Copy and Transfer right tohave an authorizing digital license (see certificate specifications 702and 703). Lacking such a license, a consumer can not access the work ata workstation. Instead, he or she must print the work.

Also illustrated in FIG. 7 is the watermark specifications 704. Thewatermark specification 704 is described in greater detail below withrespect to FIG. 10.

WATERMARKS AND FINGERPRINTS

Three main requirements for watermarks on trusted printers have beenidentified:

Social Reminder. This requirement is for a visible printed indicationabout whether photocopying is permitted. This could be a printedstatement on the document or an established icon or symbol within acorporation indicating a security level for the document.

Auditing. This requirement is for a way to record information on thedocument about the printing event, such as who owns the print rights,whether photocopying is permitted, and what person or printer printedthe document and when the document was printed.

Copy Detection. This requirement is a way for differentiating betweenprinted originals and photocopies. In general, this requirement involvesusing some print patterns on the page which tend to be distorted byphotocopiers and scanners. For some patterns, the difference betweencopies and printed original is detectable by people; for other patterns,the difference is automatically detectable by a computer with a scanner.

In the currently preferred embodiment, watermarks are created withembedded data technology such as glyph technology developed by the Xeroxcorporation. Glyph technology as it is used as embedded data printed ona medium is described in U.S. Pat. No. 5,486,686 entitled “HardcopyLossless Data Storage and Communications For Electronic DocumentProcessing Systems”, which is incorporated by reference herein. Usingglyphs as digital watermarks on printed documents is described inco/pending application Ser. No. 08/734, 570 entitled“Quasi-Reprographics With Variable Embedded Data With Applications ToCopyright Management, Distribution Control, etc.”, which is assigned tothe same assignee as the present application and is incorporated byreference herein.

Generally, embedded data technology is used to place machine readabledata on a printed medium. The machine readable data typically is in acoded form that is difficult if not impossible for a human to read.Another example of an embedded data technology is bar codes.

Embedded data technology can be used to carry hundreds of bits ofembedded data per square inch in various grey patterns on a page.Preferably, glyphs are used because the marks representing the encodeddata can be used to create marks which are more aesthetically appealingthen other embedded data technologies. With careful design, glyphs canbe integrated as graphical elements in a page layout. Glyphs can be usedwith any kind of document. Glyph watermarks to carry documentidentification can be embedded by the publisher; while glyphs carryingdata about a print event can be added to the watermark at the time ofprinting by a printing system. Both document identification andfingerprinting data can be embedded in the same watermark.

It should be noted that a disadvantage of glyphs and with all forms ofvisible and separable watermarks, is that with mechanical orcomputational effort, they can be removed from a document.

FIG. 8 illustrates an example of a document image having a glyph encodedwatermark. Referring to FIG. 8, a document page 801 has various text802. Also included is a glyph encoded watermark 803. Note that thedocument is not limited to text and may also include image or graphicaldata.

INTEGRATING EMBEDDED DATA AS WATERMARKS INTO TRUSTED PRINTING SYSTEMS

This section describes briefly how embedded data technology can be usedin trusted printing systems to embed watermarking data. How glyphs andwatermark data are handled at each stage in creating, publishing, andprinting a document is discussed.

It has been determined that for integrating embedded data such as glyphsinto trusted printing systems, the requirements include:

Document designers such as authors and publishers must be able tospecify on a page by page basis the position and shape of watermarks, sothat they can be incorporated into the design of the document.

The approach should be compatible with mainline document creation (e.g.word processing) systems.

The approach should work within the protocols of existing printers.

The approach should carry the fingerprint (or run-time) data in UsageRights specifications.

The approach should not significantly slow down printing.

Herein the term media-dependent data is used to refer to informationabout how a watermark is located and shaped within the document content.The approach depends on the use of Usage Rights to express the data tobe encoded in the watermark.

Document Creation

Publishers use a wide variety of tools to create documents. Differenttext editors or word processors provide different ways and degrees ofcontrol in laying out text, pictures and figures. One thing that alltext editors have is a way to locate text on a page. In effect, this isa lowest common denominator in abilities for all systems.

Exploiting this common capability provides insight about how to useglyphs to represent watermarks:

Glyph watermarks are organized graphically as rectangular boxes.

Different sized boxes have different capacities for carrying data. On300 dpi printers, about 300 bytes per inch can be encoded in glyphs.Note that this can represent even more data if the original data iscompressed prior to glyph encoding. Note for greater reliability, somedata may be repeated redundantly, trading data capacity for reliability.

Each glyph watermark is represented to a document creation program as acharacter in an initial glyph watermark font. Boxes of different sizesand shapes are represented as different characters for the initial glyphwatermark font. When a digital work is printed, the encoding of the datais analogous to calculating and changing the watermark font.

In practice, a designer laying out a document would open a page of aglyph catalog containing glyph boxes of different sizes. The glyph boxesin the catalog would probably contain just test data, e.g. a glyph ASCIIencoding of the words “test pattern glyph Copyright © Xerox Corporation1997. All Rights Reserved”. The designer would determine ahead of timehow much data he wants to encode per page, such as 100, 300, 500, or1000 bytes. The designer would copy a “box” (actually a character) ofthe corresponding size into their document and locate it where they wantit on the page, typically incorporating it as a design element.

FIG. 9 illustrates a set of sample watermark characters (i.e. glyphboxes) having different storage capacities. An actual catalog wouldcontain additional shapes and would be annotated according to thedata-carrying capacity of the glyphs.

Note that the glyph encoded watermarks can also be placed in figures,since drawing programs also have the capability to locate characters ona page.

When the creator saves their work, the document creation program writesa file in which characters in the glyph font are used to represent thewatermarks. If the creator prints the document at this stage, he willsee more or less what the final sold versions will look like except thatthe test data encoded in the gray tones of the glyph box will later bereplaced by the dynamically generated watermark data.

SPECIFYING WATERMARK DATA

When the author or publisher gets ready to publish the work and importit into a system for controlling distribution use of digital works, oneof the steps is to assign rights to the work using a Rights Editor. TheRights Editor is a program with which a document owner specifies termsand conditions of using a digital work.

This is the point at which document identification data and also printevent data are specified. FIG. 10 illustrates the watermark informationspecified for a print right. Note that the watermark informationspecification is optional within the grammar. Referring to FIG. 10,print right 1001 specifies that a purchaser of the document must pay tendollars to print the document (at fee specification 1002). The documentmust only be printed on a trusted printer of a given type (at printerspecification 1003). Furthermore, the watermark must embed a particularstring “Title: Moby Dog Copyright 1994 by Zeke Jones. All RightsReserved” and also include various data about the printing event (atWatermark-Tokens specification 1004). Note that the watermark tokensspecification are used to specify the “fingerprint” informationassociated with the printing of the digital work. Here the specifiedprinting event data is who printed it out, the name of the institutionprinting it out, the name of the printer, the location of the printerand the time that the digital work was printed. As will be describedbelow, this information is obtained at print time.

FIG. 11 is a flowchart summarizing the basic steps for a creator tocause watermarks to be placed in their documents. As part of the layoutof the textual document the designer determines how much data isrequired by the watermark, step 1101. Based on the amount of neededdata, a suitable watermark character (e.g. glyph box) is selected, step1102. The watermark character is then positioned onto a page (or thepages) of the digital work, step 1103. Finally, as part of the rightsassignment for the digital work document, a print right with a watermarkspecification is made, step 1104. At this point, the document can beviewed with the watermark positioned in the desired place(s) on thedocument. However, the actual fingerprint and other identifying data inan embedded data format has not yet been created. This is createddynamically at print time as described below.

PRINTING THE DIGITAL WORK

The next steps for the digital work are that it is published anddistributed. During this process, the digital work is protected by theencryption and other security systems that are employed and the rightstravel with the document. Part of this process assures that any printeror workstation that has a copy of the document also has digitalcertificates which contain information identifying the trusted system,trusted printer, user, and so on (a process described in more detail inissued U.S. Pat. No. 5,629,980).

FIG. 12 is a flowchart of the steps required for printing a document.Referring to FIG. 12, at some point, a user decides to print a document,step 1201. Typically this is done via a print command invoked throughsome interface on the users system. This opens a challenge-responseprotocol between the “user” repository containing the document and theprinter repository, step 1202. During this exchange, the security andwatermark capabilities of the printer are checked. If the printer doesnot have the proper security or watermark capabilities, the digital workcannot be printed on that printer. The printer security level andwatermark capabilities are specified in the identification certificatefor the printer. Assuming that the printer has the proper securitylevels and watermark capabilities, the “user” repository then checksthat the digital work has the required print right, step 1203. Assumingthat the digital work has required print right the user repository mayinterface with a credit server to report any required fees for theprinting the digital work, step 1204. Note that the actual billing forthe digital work may occur when the right is invoked either when theprint exercised or when it can be verified that the document has beenprinted. The latter case protects the user in the situation whereinprinting may become inadvertently terminated before the entire digitalwork is printed.

A computation is then performed to gather together the information to beembedded in the watermark and to incorporate it into a new font for thewatermark character. First the information must be gathered from digitalidentification certificates belonging to the user or the trustedprinter, such as names, locations, and the current date and time, step1205. This information is “printed” internally into computer memory,creating a bitmap image of glyph boxes of different sizes, step 1206.Creation and coding of glyphs is described in the aforementioned U.S.Pat. No. 5,486,686, thus no further discussion on the encoding of glyphpatterns is deemed necessary. In any event, this information is thenassembled into a font definition, step 1207.

The digital work is then decrypted and downloaded into the printer, step1208. When the digital work is downloaded into the printer, part of theprotocol is also to download the new “revised” glyph font, which now hascharacters corresponding to glyph boxes. This font looks more or lesslike the one that the publisher used in creating the document, exceptthat the gray codes inside the font boxes now embed the data that thepublisher wants to appear in the watermarks on the document.

The printer then prints the digital work, step 1209. When the documentis printed, the glyphs that appear on the pages contain the desiredwatermark data.

READING THE EMBEDDED DATA CONTAINED IN THE WATERMARK

FIG. 13 is a flowchart outlining the basic steps for extracting theembedded data. First, the printed document is scanned and a digitalrepresentation obtained, step 1301. The location of the watermark andthe corresponding embedded data is then found, step 1302. The watermarkmay be found using techniques for finding characteristic pixel patternsin the digital representation of the printed document. Alternatively, atemplate for the document may have been created that could be used toquickly find the watermark location. In any event, the embedded data isextracted from the watermark and decoded, step 1303. The decoded data isthen converted to a s human readable form, step 1304. This may be on adisplay or printed out. The data extracted is then used to identify whoand where the unauthorized reproduction of the digital work came from.

Note that the means for extraction of the watermark data is dependent onthe technology used to embed the watermark data. So while the actualextraction steps may vary, they do not cause departure from the spiritand scope of the present invention.

TRUSTED PRINTER EMBODIMENTS

In the following, two embodiments of trusted printer implementations aredescribed: desktop implementations for personal printers and printserver implementations for larger workgroup and departmental printers.

DESKTOP IMPLEMENTATIONS

There is a large and growing install base of personal printers.Typically, such printers are connected to personal computers by serialoutput ports. In other cases, they are installed on small local areanetworks serving a few offices.

To serve this market a “trust box” is provided which would be positionedin between the personal computer and the personal printer. The “trustbox” would act as a print repository for the trusted printer system.This is a market where the purchase of such hardware would be justifiedby the convenience of digital delivery to the office, for thosedocuments that publishers are unwilling to send in the clear (i.e. notencrypted). The cost of the trust box offsets either waiting for maildelivery or driving to another location to pick up trusted printeroutput.

FIG. 14 is an illustration of a trust box in a computer based system.Referring to FIG. 14, a personal computer 1401 is coupled to a network1402. The personal computer 1401 itself is part of a trusted system inthat it embodies a repository. The personal computer would receivedigital works through the network 1402 (e.g. over the Internet). Thepersonal computer 1401 is further coupled to trust box 1403. Thecommunications between the repository contained in the personal computer1301 and the trust box 1403 are encrypted for security purposes.Finally, the trust box 1403 is coupled to a printer 1404. The printer1404 receives decrypted print streams for printing.

From a conceptual perspective, the personal computer combined with thetrust box and printer form a trusted system. The trust boximplementation would work with other system elements as illustrated inthe steps of the flowchart of FIG. 15.

Referring to FIG. 15, the consumer contacts the distributor of digitalworks using, for example, an Internet browser such as Netscape Navigatoror Microsoft Explorer, step 1501. For the sake of brevity, it is assumedthat a trusted session is established between the consumers repositoryand the distributor's repository. Using known user interface methods,the consumer selects a work from a catalog or search service, step 1502.In this example, it is assumed that the rights holder has associated aPrint right with the document, and that all terms and conditions forexercising the right are met by the consumer and the trust box.

Once a work is selected the two repositories begin a purchasetransaction, step 1503. As described in U.S. Pat. No. 5,629,980, thereare several variations for billing. For concreteness, it is assumed thatthere is a billing account associated with the trust box.

Using a helper application (or equivalent), the consumer's repositorysends a digital certificate to the distributor which contains the trustbox's public key, step 1504. The certificate itself is signed by awell-known repository, such as the printer's manufacturer.

The distributor repository encrypts the document using DES or some otherencryption code, step 1505. The encryption uses a key length that iscompatible with requirements of security and legal constraints. Thedistributor repository encrypts the document key in an envelope signedby the public key of the printer box, step 1506. The distributorrepository then sends the encrypted document and the envelope along tothe consumers workstation.

The personal computer stores the encrypted document in its repositoryalong with the envelope containing the key, step 1507.

At some point, the user decides to print the document. Using a printprogram, he issues a print request, step 1508. His personal computercontacts the trust box, retrieving its identity certificate encrypted inits public key, step 1509. It looks up the watermark information incertificates from the user, the computer itself, and the printer, step1510. It downloads the watermark font to the printer through the trustbox, step 1511.

The print program begins sending the document, one page at a time to thetrust box, step 1512.

The trust box contacts the printer. It decrypts the document giving thedocument key to a decryption means (e.g. an internal decryption chip),step 1513. It transmits the document to the printer in the clear, step1514. Note that this is one place where a digital copy could be leaked,if a printer emulator was plugged into the print box to act like aprinter. Presumably the security level of the trust box is set to avalue that reflects the level of risk. The document is then printed,step 1515. Finally, the trust box reports billing to a FinancialClearinghouse, step 1516.

The trusted print box design is intended to meet several main designobjectives as follows:

Installed Base. This approach is intended to work within the currentinstalled base of desktop or personal printers. Installing a trustedprint box requires loading software and plugging standard serial cablesbetween the printer, the trusted print box, and the computer.

Security. The approach inhibits unauthorized photocopying through theuse of watermarks. The approach inhibits digital copying by storingdigital works in an encrypted form, where the consumer workstation doesnot have access to the key for decrypting the work.

Printer Limitations. The approach assumes that the user will plug thetrusted print box into a standard printer. The printer is assumed to nothave the capability of storing extra copies of the digital work.

Building box in Printer. Variations of this approach includeincorporating the trusted print box into the printer itself. Thatvariation has the advantage that it does not present the document in theclear along any external connectors.

Weak Link. A weak link in this approach is that there is an externalconnector that transmits the document in the clear. Although this isbeyond the average consumer, it would be possible to build a device thatsits between the trusted printer box and the printer that wouldintercept the work in the clear.

Billing Variations. In the version presented here, the trusted print boxhas secure storage and programs for managing billing records. A simplerversion of the approach would be to keep track of all billing on-line.For example, one way to do this would be to have the document printingstart at the time that the customer orders it. In this variation, thedocument is still sent in encrypted form from the publisher, through theconsumer's workstation, decrypted, and sent to the trusted print box, tothe printer. The difference is that the trusted print box no longerneeds to keep billing records and that the consumer must start printingthe document at the time that the document is ordered.

Software-only Variation. Another variation on the desktop printingsolution involves only software. The consumer/client purchases the workand orders the right to print it once. The on-line distributor deliversthe work, encrypted, one page at a time. The consumer workstation has aprogram that decrypts the page and sends it to the printer withwatermarks, and then requests the next page. At no time is a fulldecrypted copy available on the consumer's computer. The weak link inthis approach is that the consumers computer does gain access to copiesof pages of the work in the clear. Although this would be beyond theaverage consumer, it would be possible to construct software either tomimic runtime decryption software or modify it to save a copy of thework, one page at a time.

PRINTER SERVER IMPLEMENTATIONS

Much of the appeal of trusted printers is to enable the safe andcommercial printing of long documents. Such printing applications tendto require the speed and special features of large, shared printersrather than personal printers. Provided herein is an architecture forserver-based trusted printers.

Besides the speed and feature differences of the print enginesthemselves, there are some key differences between server-based trustedprinters and desktop trusted printers.

Server-based printers store complete copies of documents in files.

Server-based printers have operating systems and file systems that maybe accessible via a network.

Server-based printers have consoles, accessible to dedicated or walk-upoperators depending on the installation.

These basic properties of server-based printers create their own risksfor document security which need to be addressed. In addition, sinceserver-based printers tend to be high volume and expensive, it isimportant that the trusted system features not significantly slow downcompetitive printer performance.

From a conceptual perspective, the print server (including networkservices and spooling) combined with the printer forms a trusted system.

In abstract and functional terms, the operation of the serverimplementation is similar to that of the trust box implementation. Thedifference is that the server performs many of the operations of thetrust box.

There are many variations on how the print server may need tointeroperate with the other system elements. For example, thetransaction with the printer may be with the user's computer or with anon-line repository that the user is communicating with. In thefollowing, the transaction is described as happening from a repository,although that repository may be the users own computer.

FIG. 16 is a block diagram illustrating a print server implementation.Referring to FIG. 16, a consumer workstation 1601 is coupled topublisher repository 1602. The publisher repository 1602 couplesdirectly with a spooler in printer repository 1603. The spooler isresponsible for scheduling and printing of digital works. The spooler1603 is coupled to the printer 1604.

The server implementation would work with other system elements asillustrated in the steps of the flowchart of FIG. 17. Referring to FIG.17, the repository contacts the trusted printer's server, engaging in achallenge-response protocol to verify that the printer is of the righttype and security level to print the work, step 1701. These interactionsalso give the printer public certificates for the repository and user,that are used for retrieving watermark information.

The distributor encrypts the document using DES or some other code,using a key length that is compatible with requirements of security andlegal constraints, step 1702. It encrypts the document key in anenvelope signed by the public key of server, step 1703. It sends theencrypted document to the server, step 1704.

Note that in some versions of this architecture, different levels ofencryption and “scrambling” (less secure) are used on the document atdifferent stages in the server. It is generally important to protect thedocument in all places where it might be accessed by outside parties.The use of lower security encoding is sometimes used to avoidpotentially-expensive decryption steps at critical stages that wouldslow the operation of the printer.

In any event, the server stores the encrypted document, step 1705. Atsome point, the spooler gets ready to print the document. Beforestarting, it runs a process to create a new version of the glyph fontthat encodes the watermark data, step 1706. It looks up the requiredwatermark information in its own certificates as well as certificatesfrom the repository and user.

Finally, the spooler begins imaging the document, one page at a time,step 1707.

Thus, trusted rendering systems for use in a system for controlling thedistribution and use of digital works are disclosed. While the presentinvention is described with respect to a preferred embodiment, it wouldbe apparent to one skilled in the art to practice the present inventionwith other configurations of information retrieval systems. Suchalternate embodiments would not cause departure from the spirit andscope of the present invention.

APPENDIX A. GRAMMAR FOR THE USAGE RIGHTS LANGUAGE

work-specification −> (Work: (Rights-Language-Version: version-id)(Work-I D: work-id)_(opt) (Description: text-description)_(opt) (Owner:certificate-spec)_(opt) (Parts: parts-list)_(opt) (Contents: (From:address) (To: address))_(opt) (Copies: copy-count)_(opt) (Comment:comment-str)_(opt) rights-group-list ) parts-list −> work-id | work-idparts-list copy-count −> integer-constant | unlimited rights-group-list−> rights-group-spec rights-group-list_(opt) rights-group-spec −> (rights-group-header rights-group-name bundle-spec_(opt) comment_(opt)rights-list) rights-group-header −> Rights-Group: |Reference-Rights-Group: bundle-spec −> (Bundle: comment_(opt)time-spec_(opt) access-spec_(opt) fee-spec_(opt) watermark-spec_(opt))comment −> (Comment: comment-str) rights-list −> right rights-list_(opt)right −> (right-code comment_(opt) time-spec_(opt) access-spec_(opt)fee-spec_(opt) ) right-code −> transport-code | render-code |derivative-work-code | file-management-code | configuration-codetransport-code −> transport-op-spec next-copy-dghts-spec_(opt):transport-op-spec −> Copy: | Transfer: | Loan:remaining-rights-spec_(opt) next-copy-rights-spec −> (Next-Copy-Rights:next-set-of-rights ) remaining-rights-spec −> (Remaining-Rights:rights-groups-list) next-set-of-rights −> rights-to-add-spec_(opt) |rights-to-delete-spec_(opt) rights-to-add-spec −> (Add:rights-groups-list ) rights-to-delete-spec −> (Delete:rights-groups-list ) render-code −> Play: player-spec_(opt) | Print:Printer-spec_(opt) | Export: repository-spec_(opt) player-spec −>(Player: certificate-list)_(opt) (Watermark: watermark-spec)_(opt)printer-spec −> (Printer: certificate-list )_(opt) (Watermark:watermark-spec)_(opt) repository-spec −> (Repository:certificate-list)_(opt) derivative-work-code −> derivative-op-speceditor-spec_(opt) next-copy-rights-spec_(opt) derivative-op-spec −>Edit: | Extract: | Embed: editor-spec −> (Editor: certificate-list)file-management-code −> Backup: backup-copy-rights-spec_(opt) | Restore:| Verify: verifier-spec _(opt) | Folder: | Directory: | Delete:backup-copy-rights-spec −> Backup-Copy-Rights: rights-groups-listverifier-spec −> (Verifier: certificate-list) configuration-code −>Install: | Uninstall: time-spec −> (Time: interval-typeexpiration-spec_(opt)) interval-type −> fixed-interval-spec |sliding-interval-spec | metered-interval-spec fixed-interval-spec −>(From: moment-spec) sliding-interval-spec −> (Interval: interval-spec)metered-interval-spec −> (Metered: interval-spec) expiration-spec −>(Until: moment-spec) moment-spec −> date-constanttime-of-day-constant_(opt) interval-spec −> calendar-units-constant |time-units-constant | calendar-units-constant time-units-constantfee-spec −> (Fee: ticket-spec | monetary-spec ticket-spec −> (Ticket:(Authority: authority-id) (Type: ticket-id )) monetary-spec −> (fee-typemin-price-spec_(opt) max-price-spec_(opt) account-spec ) fee-type −>(Per-Use: money-units )| (Metered: (Rate: money-units) (Per:interval-spec ) (By: interval-spec)_(opt) | (Best-Price-Under:money-units )| (Call-For-Price: dealer-id )| (Markup: percentage )money-units −> floating-constant (Currency: ISO-Currency-Code )_(opt)account-spec −> (To: account-id ) (House: clearing-house-id) _(opt) |(From: account-id) (House: cleadng-house-id) _(opt) min-price-spec −>(Min: (Rate: money-units ) (Per: interval-spec)) max-price-spec −> (Max:(Rate: money-units ) (Per: interval-spec)) access-spec −> (Access:security-class-spec_(opt) user -spec_(opt) source-spec_(opt)destination-spec_(opt) ) -class-spec −> (Security: s-list) s-list −>s-pair | s-pair s-list s-pair −> (s-name: s-value) s-name −>literal-constant s-value −> floating-constant user-spec −> (User:authorization-spec) source-spec −> (Source: authorization-spec)destination-spec −> (Destination: authorization-spec) authorization-spec−> (Any: certificate-list ) | certificate-list certificate-list −>certificate-spec certificate-list_(opt) certificate-spec −>(Certificate: (Authority: authority-id) property-list_(opt))property-list −> property-pair | property-pair property-listproperty-pair −> (property-name: property-value) property-name −>literal-constant property-value −> string-constant | literal-constant |floating-constant | integer-constant watermark-spec −>watermark-info-list watermark-info-list −> watermark-str-spec_(opt)watermark-info-list_(opt) | watermark-token-spec_(opt)watermark-info-list_(opt) | watermark-object-spec_(opt)watermark-info-list_(opt) watermark-str-spec −> (Watermark-Str:watermark-str) watermark-token-spec −> (Watermark-Tokens:watermark-tokens) watermark-tokens −> watermark-tokenwatermark-tokens_(opt) watermark-token −> all-rights | render-rights |user-name | user-id | user-location | institution-name | institution-id| institution-location | render-name | render-id | render-location |render-time watermark-object-spec −> (Watermark-Object: work-id)

What is claimed is:
 1. A system for controlling the distribution and useof digital works comprising: means for creating usage rights, eachinstance of a usage right representing a specific instance of how adigital work may be used or distributed; means for attaching a createdset of usage rights to a digital work including a rendering right, saidrendering right for permitting said digital work to be rendered, saidrendering right further specifying watermark information to be embeddedinto a rendering of said digital work, said watermark informationincluding information related to the rendering of said digital work andsand rendering right further specifying rendering criteria that aninstance of a rendering system must satisfy before the digital work canbe rendered, said rendering right originally being an external data withrespect to the watermark; a communication medium for couplingrepositories to enable exchange of repository transaction messages, ageneral repository for storing a securely exchanging digital works withattached usage rights; a rendering system comprising a renderingrepository for receiving a digital work to be rendered from said generalrepository and a rendering device for rendering digital works, saidrendering repository further comprising: means for gathering watermarkinformation specified in a rendering right associated with said digitalwork to be rendered; and means for encoding said watermark informationfor embedding in said digital work when rendered.
 2. The system asrecited in claim 1 wherein said rendering criteria is comprised of apredetermined security level and predetermined watermarkingcapabilities.
 3. The system as recited in claim 1 wherein said renderingright is a print right, said rendering system is a printing system andsaid rendering repository is a printer repository.
 4. The system asrecited in claim 3 further comprising digital work authoring meanshaving means for placing a watermark character on a digital document. 5.The system as recited in claim 4 wherein said means for encoding saidwatermark information for embedding in said digital work when renderedis further comprised of means for encoding glyph patterns based on saidwatermark information to create a dynamic watermark font, wherein saidglyph patterns correspond to watermark characters.
 6. The system asrecited in claim 5 wherein said means for encoding said watermarkinformation for embedding in said digital work when rendered is furthercomprised of means for changing said watermark characters to have saiddynamic watermark font.
 7. The system as recited in claim 3 wherein saidprinter repository is in the same enclosure as said print device.
 8. Thesystem as recited in claim 3 wherein said printer repository is in adifferent enclosure from said print device.
 9. The system as recited inclaim 1 wherein said printer repository is further comprised of meansfor causing a printing fee to be paid when said [document] digital workis printed.
 10. The system as recited in claim 1 further comprising awatermark extraction means for extracting the watermark information fromsaid digital work.
 11. The system as recited in claim 10 wherein saidwatermark extraction means is further comprised of: a scanner device forcreating a bit mapped representation of a printed medium; means forlocating said watermark in said bit mapped representation of a printedmedium; and means for decoding embedded data contained in saidwatermark.
 12. The system as recited in claim 11 wherein said means fordecoding embedded data contained in said watermark of said watermarkextraction means is comprised of means for decoding glyph patterns. 13.In a system for controlling the distribution and use of digital works, amethod for providing a watermark on a rendered digital work comprisingthe steps of: a) a digital work creator assigning a rendering right tosaid digital work and storing in a distribution repository, saidrendering right specifying watermark information indicating informationidentifying a rendering event and rendering criteria that an instance ofa rendering system must satisfy before the digital work can be rendered;b) a user obtaining an encrypted version of said digital work from saiddistribution repository and storing in a user repository; c) said userrequesting that said digital work be rendered; d) said user repositorydetermining if said digital work has the appropriate rendering right; e)if said digital work has the appropriate rendering right, said userrepository communicating with a rendering repository to establish atrusted session; f) said user repository transferring said digital workto said rendering repository; g) said rendering repository gatheringwatermark information specified in said rendering right and determiningthat it meets the required rendering criteria; h) said renderingrepository encoding data for said watermark information; i) saidrendering repository decrypting said digital work and embedding saidwatermark information, to be transmitted for subsequent extraction ofwatermark information; and j) said rendering repository transmittingsaid digital work with embedded watermark information to a renderingdevice for rendering.
 14. The method as recited in claim 13 wherein saidrendering right is a print right and said rendering repository is aprinter repository.
 15. The method as recited in claim 14 wherein priorto said step of said digital work creator storing said digital work in adistribution repository, said digital work creator placing watermarkcharacters on said digital work, said watermark characters in anoriginal watermark font.
 16. The method as recited in claim 15 whereinsaid rendering event is printing of the digital work and said step ofsaid rendering repository gathering watermark information specified insaid rendering right is further comprised of the step of said renderingrepository obtaining identification certificates for said userrepository and said printer repository and extracting identificationinformation.
 17. The method as recited in claim 16 wherein said step ofsaid print repository encoding data for said watermark information isfurther comprised of the step of defining glyph patterns defining saidwatermark information as characters in a dynamic watermark font.
 18. Themethod as recited in claim 17 wherein said step of said printerrepository embedding said watermark information is further comprised ofthe step of said printer repository changing the original watermark fontof said watermark characters to said dynamic watermark font.
 19. In asystem for controlling the distribution and use of digital works, amethod for providing a watermark on a rendered digital work comprisingthe steps of: a) a digital work creator assigning a rendering right tosaid digital work and storing in a distribution repository, saidrendering right specifying criteria for a rendering system that must besatisfied before the digital work can be rendered and watermarkinformation indicating information identifying a rendering event; b) auser requesting a rendered version of said digital work be rendered on auser rendering system having a rendering repository; c) saiddistribution repository determining if said user rendering system meetsthe specified criteria in said rendering right; d) if said renderingsystem satisfies said specified criteria, said distribution repositoryencrypting said digital work and sending to said rendering repository;e) said rendering repository gathering watermark information specifiedin said rendering right; f) said rendering repository encoding data forsaid watermark information; g) said rendering repository decrypting saiddigital work and embedding said watermark information, to be transmittedfor subsequent extraction of watermark information; and h) saidrendering repository transmitting said digital work with embeddedwatermark information to a rendering device for rendering.
 20. Themethod as recited in claim 19 wherein said criteria for said renderingrepository is comprised of a security criteria and a watermarkingcriteria.
 21. The method as recited in claim 19 wherein said renderingright is further for specifying watermark information indicatinginformation identifying a rendering event.
 22. The method as recited inclaim 21 wherein said rendering right is a print right and saidrendering repository is a printer repository.
 23. The method as recitedin claim 13, wherein said rendering criteria is further comprised of apredetermined security level for said rendering system.
 24. The systemas recited in claim 13, wherein said rendering criteria is furthercomprised of a predetermined watermarking capabilities for saidrendering system.
 25. A system for controlling the distribution and useof digital works comprising: at least one digital work having anassociated rendering usage right, said associated rendering usage rightfor permitting said digital work to be rendered, said rendering usageright further specifying watermark information to be embedded into arendering of said digital work, said watermark information includinginformation related to the rendering of said digital work, and saidrendering usage right further specifying rendering criteria that aninstance of a rendering system must satisfy before the digital work canbe rendered, said rendering right originally being an external data withrespect to the watermark; a communication medium for couplingrepositories to enable exchange of repository transaction messages, ageneral repository for storing and securely exchanging digital works; arendering system comprising a rendering repository for receiving adigital work to be rendered from said general repository and a renderingdevice for rendering digital works, said rendering repository furthercomprising: means for determining that said rendering system meets saidrendering criteria; means for gathering watermark information specifiedin a rendering right associated with said digital work to be rendered;and means for encoding said watermark information for embedding in saiddigital work when rendered.
 26. The system as recited in claim 25,wherein said rendering criteria is further comprised of a predeterminedsecurity level for said rendering system.
 27. The system as recited inclaim 25, wherein said rendering criteria is further comprised of apredetermined watermarking capabilities for said rendering system.
 28. Amethod for providing watermark information for a rendered digital work,said method comprising the steps of: a) a digital work creator placingwatermark characters on said digital work, said watermark characters inan original watermark font; b) said digital work creator assigning arendering right to said digital work and storing in a distributionrepository, said rendering right specifying watermark informationindicating information identifying a rendering event; c) a userrequesting a rendered version of said digital work be rendered on a userrendering system having a rendering repository; d) said renderingrepository gathering watermark information specified in said renderingright; e) said rendering repository encoding data for said watermarkinformation as characters in a dynamic watermark font, with thecapability to be changed, using an embedded data technology; f) saidrendering repository changing the original watermark font of saidwatermark characters to said dynamic watermark font; and g) saidrendering repository transmitting said digital work with embeddedwatermark information to a rendering device for rendering.